Aflac Confirms 22.6 Million Personal Records Stolen in Major Cyberattack

What happened

Aflac, a major U.S. insurance provider, disclosed that a cyberattack this summer resulted in the theft of personal data belonging to approximately 22.65 million individuals. The exposed information includes Social Security numbers, health and insurance claims data, names, dates of birth, and contact details. The company reported unauthorized access to its network on June 12, 2025, which was contained within hours, but the full scope of the breach was only recently determined. The incident was detailed in regulatory filings and follows an investigation involving third-party cybersecurity experts. 

Who is affected

The breach impacts a broad group of stakeholders, including Aflac customers, employees, agents, and beneficiaries whose sensitive information was stored in affected systems. Aflac has begun notifying individuals whose data was compromised and is offering affected parties services like credit monitoring and identity protection.

Why CISOs should care

This breach underscores several critical themes for security leaders:

1. Scale and sensitivity: Tens of millions of records, including highly sensitive personal and health information, can be exposed even when intrusions are contained quickly.
2. Targeting of the insurance sector: Analysts believe the threat actor (potentially associated with Scattered Spider) is conducting a broader campaign against the insurance industry, a sector increasingly attractive to financially motivated attackers. 
3. Regulatory and operational fallout: CISOs need to anticipate the cascading effects of breach disclosures, from regulatory reporting and class actions to brand and customer trust impacts. 

3 Practical Actions for CISOs

1. Enhance social engineering defenses: Given indications that attackers used social engineering to gain initial access, prioritize ongoing phishing simulations, authentication hardening, and help-desk verification controls. 
2. Segment and monitor sensitive data stores: Tighten access controls and continuous monitoring around repositories of PII and health information to detect anomalous access patterns earlier.
3. Review incident response playbooks: Conduct tabletop exercises and ensure alignment with legal and regulatory communication requirements to expedite breach response and notifications.